From e4f3741ca04f3b933922ec4c2aac3d2693ef561e Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Sat, 13 Sep 2025 21:37:08 -0500 Subject: [PATCH] r/ssh-host-certs: Import systemd unit files The _sshca-cli_ package no longer provides a _-systemd_ sub-package containing the systemd unit files for automatically requesting and renewing SSH host certificates. Its original intent was to support automatically signing certificates on first boot by having the unit files installed by Anaconda, but this never really worked for various reasons. Since I'd rather not have to rebuild the RPMs every time I need to make a change to the systemd units, and Ansible is required to actually get the certificates issued anyway, it makes more sense to have the unit files in the configuration policy instead. --- .../files/ssh-host-cert-sign@.service | 34 +++++++++++++++++++ .../files/ssh-host-certs-renew.target | 7 ++++ .../files/ssh-host-certs-renew.timer | 12 +++++++ roles/ssh-host-certs/tasks/main.yml | 31 ++++++++++++++--- 4 files changed, 79 insertions(+), 5 deletions(-) create mode 100644 roles/ssh-host-certs/files/ssh-host-cert-sign@.service create mode 100644 roles/ssh-host-certs/files/ssh-host-certs-renew.target create mode 100644 roles/ssh-host-certs/files/ssh-host-certs-renew.timer diff --git a/roles/ssh-host-certs/files/ssh-host-cert-sign@.service b/roles/ssh-host-certs/files/ssh-host-cert-sign@.service new file mode 100644 index 0000000..0efde1e --- /dev/null +++ b/roles/ssh-host-certs/files/ssh-host-cert-sign@.service @@ -0,0 +1,34 @@ +[Unit] +Description=Request %I SSH Host Certificate +After=network-online.target +Wants=network-online.target + +[Service] +Type=oneshot +EnvironmentFile=-/etc/sysconfig/ssh-host-cert-sign +ExecStart=/usr/bin/sshca-cli host sign --output /etc/ssh/ssh_host_%I_key-cert.pub /etc/ssh/ssh_host_%I_key.pub + +CapabilityBoundingSet=CAP_CHOWN +DeviceAllow= +DevicePolicy=closed +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes +PrivateDevices=yes +PrivateUsers=yes +PrivateTmp=yes +ProcSubset=pid +ProtectClock=yes +ProtectControlGroups=yes +ProtectHome=yes +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectProc=invisible +ProtectSystem=strict +ReadWritePaths=/etc/ssh +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes diff --git a/roles/ssh-host-certs/files/ssh-host-certs-renew.target b/roles/ssh-host-certs/files/ssh-host-certs-renew.target new file mode 100644 index 0000000..9e54f1b --- /dev/null +++ b/roles/ssh-host-certs/files/ssh-host-certs-renew.target @@ -0,0 +1,7 @@ +# vim: set ft=systemd : +[Unit] +Description=Request SSH Host Certificates +StopWhenUnneeded=yes +Wants=ssh-host-cert-sign@ed25519.service +Wants=ssh-host-cert-sign@rsa.service +Wants=ssh-host-cert-sign@ecdsa.service diff --git a/roles/ssh-host-certs/files/ssh-host-certs-renew.timer b/roles/ssh-host-certs/files/ssh-host-certs-renew.timer new file mode 100644 index 0000000..3f6f728 --- /dev/null +++ b/roles/ssh-host-certs/files/ssh-host-certs-renew.timer @@ -0,0 +1,12 @@ +# vim: set ft=systemd : +[Unit] +Description=Periodically renew SSH host certificates + +[Timer] +Unit=%N.target +OnCalendar=Tue *-*-* 00:00:00 +RandomizedDelaySec=48h +Persistent=yes + +[Install] +WantedBy=timers.target diff --git a/roles/ssh-host-certs/tasks/main.yml b/roles/ssh-host-certs/tasks/main.yml index e91b39b..d57760e 100644 --- a/roles/ssh-host-certs/tasks/main.yml +++ b/roles/ssh-host-certs/tasks/main.yml @@ -1,12 +1,33 @@ -- name: ensure sshca-cli-systemd is installed +- name: ensure sshca-cli is installed package: - name: sshca-cli-systemd + name: sshca-cli state: present - notify: - - restart ssh-host-certs.target tags: - install +- name: ensure sshca-cli-systemd is not installed + package: + name: sshca-cli-systemd + state: absent + tags: + - uninstall + +- name: ensure ssh host cert signing systemd units are installed + copy: + src: '{{ item }}' + dest: /etc/systemd/system/{{ item }} + owner: root + group: root + mode: u=rw,go=r + loop: + - ssh-host-cert-sign@.service + - ssh-host-certs-renew.target + - ssh-host-certs-renew.timer + notify: + - reload systemd + tags: + - systemd + - name: ensure ssh-host-cert-sign is configured template: src: ssh-host-cert-sign.env.j2 @@ -15,7 +36,7 @@ group: root mode: u=rw,go=r notify: - - restart ssh-host-certs.target + - restart ssh-host-certs-renew.target tags: - config